From Linguist to Nation-State Hunter
In a recent Gula Tech Adventures video, Ron Gula explored one of the most controversial developments in cyber defense: the growing intersection of offensive security practices with private sector threat intelligence. The video begins with a satirical animated short followed by a detailed podcast-style interview with Danny Adamitis, a threat hunter at Lumen’s Black Lotus Labs. Together, they unpack some of the most pressing challenges in modern cybersecurity—from kernel implants and router malware to the ethics of "hacking back."
The Sophos Incident: When Defense Becomes Offense
The animated short and its follow-up discussion center around a postmortem of the attack reported by Sophos in their Pacific Rim report. Sophos’ X-Ops team deployed what they described as a "specialized kernel implant" on devices believed to be operated by exploit developers. But the language sparked immediate controversy.
Bill, a former Cyber Command officer and podcast participant, criticized the euphemistic wording. “Call it what it is—malware,” he insisted. The issue wasn’t just the terminology; it was the ethics. Deploying implants on foreign systems—even when operated by threat actors—raises questions about legality, escalation, and collateral damage.
The podcast panel—comprised of ex-government, private sector, and academic experts—debated whether such actions amount to justified cyber defense or vigilante counter-hacking. As one guest noted, the core internet infrastructure has been compromised by adversaries like China. But does that justify hacking them back?
Letters of Marque and Cyber Buccaneers
One of the more provocative moments in the podcast involved the idea of granting modern-day “letters of marque”—government-sanctioned authority for private companies to engage in counter-offensive operations. Historically, these letters legalized piracy under the guise of wartime privateering. The cyber version? Equipping cybersecurity firms with legal cover to “hack back” adversaries.
While panelist Linda was in favor of such measures as a deterrent to foreign actors, others were wary. The main concerns? Lack of oversight, the risk of collateral damage, and the potential for escalating global cyber conflict. “We don’t want Pepsi’s routers taken out just because Coke is protecting a recipe,” Bill warned.
Enter Danny Adamitis: The Human Threat Detector
The second half of the video shifts from satire to substance as Ron interviews Danny Adamitis of Lumen’s Black Lotus Labs. With a background in Russian linguistics and international relations, Danny took an unusual route to threat hunting. Initially translating hacker forum chatter, his curiosity led him deeper into malware analysis and eventually to full-scale ISP-level cyber detection.
Danny's team doesn’t just respond to known threats—they actively hunt for them. He describes a hybrid approach: combining flow data analysis, anomaly detection, domain age heuristics, and even graph theory to spot botnets and command-and-control (C2) infrastructure before attackers can cause damage.
ISP-Based Threat Detection: Strengths and Strategy
One key advantage for Lumen and similar ISPs is visibility. Lumen carries an estimated 10% of global internet traffic. This allows them to observe large-scale patterns that endpoint solutions can’t. Their team focuses on spotting campaigns that target routers, DNS records, and low-level networking infrastructure—a space often ignored by cloud-first EDR providers.
For instance, Danny details past efforts to uncover nation-state malware like KV-Botnet and ZuoRAT, which exploit small office/home office routers. These types of attacks manipulate DNS records, sniff unencrypted traffic, and redirect connections to malicious infrastructure. And since many home users buy their own routers and don’t update them, they become easy targets.
From Detection to Disclosure: The Role of Public Research
When Lumen finds something severe, they don’t just alert their own customers—they publish technical blogs through Black Lotus Labs. Their goal? Transparency and community collaboration.
Danny explains that public disclosures go through legal review and often involve coordination with vendors before going live. For example, when they discovered a webshell on Versa Director devices, they notified the vendor directly before publishing their findings.
Still, the role of attribution remains tricky. As Ron and Danny note, even experienced teams must tread carefully—what looks like China or Russia might be a false flag. And getting attribution wrong could trigger diplomatic backlash or even cyber conflict.
The Forgotten Internet and End-User Risk
Danny highlights a disturbing blind spot in our global infrastructure: forgotten devices. These include cheap routers, neglected IoT devices, and dusty webcams still connected to the internet but long abandoned by users. ISPs like Lumen attempt to patch these devices automatically, but customer-owned hardware often slips through the cracks.
This patching gap, combined with increasingly aggressive nation-state campaigns, makes proactive defense more vital than ever.
What It Takes to Be a Threat Hunter
For aspiring cybersecurity professionals, Danny offers sage advice. Traditional certifications like CISSP or CEH are helpful, but big data fluency is essential. Tools like PySpark, Scala, and Kubernetes are foundational. But above all, choose a focus—whether routers, identity systems, or cloud posture management—and learn to ask “Why?” repeatedly until you find the answers.
Ron praises Danny’s humility and transparency—qualities sometimes rare in an industry full of self-proclaimed experts. The message? Cybersecurity isn't just about flashy zero-days or headlines. It’s about quietly watching, rigorously validating, and protecting people on a scale few can appreciate.
Final Thoughts: Collaboration Over Isolation
Whether it’s debating hack-back policies or tracking botnets, both segments of the video deliver the same lesson: cybersecurity is too big to handle alone. From ISP-level telemetry to malware sandboxing, public-private partnerships and vendor collaboration remain the best path forward.
As Ron closes the episode, he encourages viewers to subscribe and reach out with ideas. “If you’re building something to help solve these problems, we want to hear from you.”
In the ever-evolving cyber battlefield, transparency, innovation, and community matter more than ever. And with practitioners like Danny Adamitis leading the charge, there’s hope that defenders can stay one step ahead.